Cyber Crime

Microsoft Office 365 targeted with massive Cerber ransomware 0-day campaign

Cloud security provider Avanan discovered a number of Cerber Ransomware variants targeting corporate Office 365 users with malicious emails.

Cloud security provider Avanan spotted a number of Cerber Ransomware variants that are targeting corporate Office 365 users with spam or phishing emails leveraging on malicious file attachments.

Threat actors sent an Office document that embedded malicious macros to download the ransomware.

Cerber ransomware zero day campaignCerber ransomware zero day campaign

According to a report published by Avanan, threat actors exploited a zero-day vulnerability to deliver the Cerber ransomware,

The ransomware campaign started on June 22, the day after Microsoft started blocking the attachment used in the attacks.

“Starting June 22 at 6:44 a.m. UTC, Avanan’s Cloud Security Platform started to detect a massive attack against its customers that were using Office 365. The attack included a very nasty ransomware virus called Cerber, which was spread through email and encrypted users’ files.” states the report.

Experts from Avanan revealed that the attackers behind the campaign tried to send messages to 57 per cent of the organisations on its security platform using Office 365.

“While difficult to precisely measure how many users got infected, Avanan estimates that roughly 57 percent of organizations using Office 365 received at least one copy of the malware into one of their corporate mailboxes during the time of the attack.”

This specific ransomware encrypts files with AES-256 and requests a 1.24 Bitcoin ransom for unblock the user’s documents.

The experts noticed that strain of the Cerber ransomware used in the attack also takes over the host audio system to read out its ransom note.

Unfortunately, macro-based attacks are still effective, early 2015 the Microsoft Malware Protection Center (MMPC) issued an alert about a surge in the infections of malware using macros to spread their malicious code. The researchers at Microsoft observed a major increase in enable-macros based malware, the most active codes included Adnel and Tarbir.

Recently the campaigns conducted to deliver the Locky and Dridex ransomware malware also leveraged on malicious macros to spread the threat.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Google Widevine DRM, piracy)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Texas Department of Transportation (TxDOT) data breach exposes 300,000 crash reports

Hackers breached Texas DOT (TxDOT), stealing 300,000 crash reports with personal data from its Crash…

8 hours ago

SAP June 2025 Security Patch Day fixed critical NetWeaver bug

SAP fixed a critical NetWeaver flaw that let attackers bypass authorization and escalate privileges. Patch…

11 hours ago

U.S. CISA adds RoundCube Webmail and Erlang Erlang/OTP SSH server flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds RoundCube Webmail and Erlang Erlang/OTP SSH server flaws…

14 hours ago

Mirai botnets exploit Wazuh RCE, Akamai warned

Mirai botnets are exploiting CVE-2025-24016, a critical remote code execution flaw in Wazuh servers, Akamai…

18 hours ago

China-linked threat actor targeted +70 orgs worldwide, SentinelOne warns

China-linked threat actor targeted over 70 global organizations, including governments and media, in cyber-espionage attacks…

21 hours ago

DOJ moves to seize $7.74M in crypto linked to North Korean IT worker scam

US seeks to seize $7.74M in crypto linked to North Korean fake IT worker schemes,…

1 day ago